Once you enable IRF on a device the option to mirror a VLAN
or any virtual interface is disabled.
For example if you situation where you want to mirror a VLAN to send off to an
IDS for inspection.
You have two options how you can get around this when using
IRF.
1. You
can mirror every port that belongs to the VLAN and send that traffic to a monitor
port.
2. You
can create a QoS policy and have the action be to mirror traffic. Then apply
this policy to the required ports.
Here’s an example of a mirroring policy. I created this on a
5800 but it should be similar on any Comware device.
acl number 3000 name mirror
rule 0 permit ip source 10.0.0.0
0.255.255.255
#
traffic classifier mirror-class
operator and
if-match acl name mirror
#
traffic behavior mirror-behavior
mirror-to interface
GigabitEthernet1/0/12
#
qos policy mirror-policy
classifier mirror-class behavior
mirror-behavior
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 47
qos apply policy mirror-policy
inbound
qos apply policy mirror-policy
outbound
This is a perfect solution for many networks. You can create a policy that matches the subnets of the VLANs you wanted to mirror
then apply the policy to the appropriate interfaces. You can also have create two different polices. This would allow you to have a monitor port on
12508-1 and a different monitor port on 12508-2 so the mirroring traffic will
remain local and not cross the IRF links.
This would be a great solution if it were scalable. I took a crack at this, and it works for a single classifier - maybe two.
ReplyDeleteBut if I want multiple classifiers then when I go to apply this to a listener interface I get "Application failed: insufficient Hardware Resources" - this on a JC100A.
Does this work on BAGG interfaces?
ReplyDelete